**Drift Protocol** reports that the recent $280+ million hack was the result of a long-term operation that involved establishing “a functioning operational presence inside the **Drift** ecosystem.” On April 1st, the platform detected unusual activity, confirming the loss of funds due to a sophisticated attack that hijacked the Security Council administrative powers. Blockchain intelligence firms **Elliptic** and **TRM Labs** have attributed the theft to North Korean hackers, who reportedly drained user assets in approximately 12 minutes. The investigation revealed that the hackers had been preparing the attack for at least six months, posing as representatives of a quantitative firm. They approached **Drift** contributors in person at various crypto conferences. “It is now understood that this appears to be a targeted approach, where individuals from this group continued to deliberately seek out and engage specific **Drift** contributors, in person, at multiple major industry conferences in multiple countries over the following six months,” the company stated. The threat actors communicated with their targets via **Telegram**, discussing trading strategies and potential vault integrations. They demonstrated technical proficiency and familiarity with **Drift's** operations, mimicking typical onboarding exchanges between trading firms and the platform. The **Telegram** group used for engaging contributors was deleted immediately after the theft. ### Attack Vectors **Drift** believes two contributors were compromised through: * A malicious code repository shared with a contributor, potentially exploiting a **VSCode**/Cursor vulnerability that allowed silent code execution. * A malicious **TestFlight** application presented as a wallet product. ### Attribution Investigations by **Elliptic** and **TRM Labs** strongly suggest the involvement of a North Korean threat actor. **Drift's** findings also indicate with medium-high confidence that the attack was perpetrated by **UNC4736** (a.k.a. **AppleJeus** and **Labyrinth Chollima**), a threat actor previously linked to North Korea by multiple security companies. **Mandiant** has associated **UNC4736** with **Lazarus**. This same group is believed to be responsible for the **3CX** supply-chain attack in 2023, the $50 million **Radiant** cryptocurrency theft in 2024, and the exploitation of **Chrome** zero-days. Notably, the individuals who met with **Drift** contributors at conferences were non-Korean intermediaries. ### Current Status All **Drift Protocol** functions are currently frozen, and the compromised wallets have been removed from the multisig process. **Drift** has flagged the attackers’ wallets across exchanges and bridge operators to prevent the movement or withdrawal of the stolen funds.